Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1751829AbdHBVsp (ORCPT <rfc822;w@1wt.eu>);
        Wed, 2 Aug 2017 17:48:45 -0400
Received: from mail-io0-f174.google.com ([209.85.223.174]:33846 "EHLO
        mail-io0-f174.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1750725AbdHBVsn (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 2 Aug 2017 17:48:43 -0400
Date: Wed, 2 Aug 2017 15:48:41 -0600
From: Tycho Andersen <tycho@docker.com>
To: Mehmet Kayaalp <mkayaalp@linux.vnet.ibm.com>
Cc: ima-devel <linux-ima-devel@lists.sourceforge.net>,
        containers <containers@lists.linux-foundation.org>,
        linux-kernel <linux-kernel@vger.kernel.org>,
        linux-security-module <linux-security-module@vger.kernel.org>,
        "Serge E . Hallyn" <serge@hallyn.com>,
        Yuqiong Sun <sunyuqiong1988@gmail.com>,
        David Safford <david.safford@ge.com>,
        Mehmet Kayaalp <mkayaalp@cs.binghamton.edu>,
        Stefan Berger <stefanb@linux.vnet.ibm.com>
Subject: Re: [RFC PATCH 3/5] ima: mamespace audit status flags
Message-ID: <20170802214841.hw4pzjenxw47rcyp@docker>
References: <20170720225033.21298-1-mkayaalp@linux.vnet.ibm.com>
 <20170720225033.21298-4-mkayaalp@linux.vnet.ibm.com>
 <20170801171702.f2szj5huzbt7fdfl@docker>
 <2848EE0A-2DB8-420B-A611-60967EB90F5C@linux.vnet.ibm.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <2848EE0A-2DB8-420B-A611-60967EB90F5C@linux.vnet.ibm.com>
User-Agent: NeoMutt/20170113 (1.7.2)
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 933
Lines: 31

On Tue, Aug 01, 2017 at 01:25:31PM -0400, Mehmet Kayaalp wrote:
> >> +unsigned long iint_flags(struct integrity_iint_cache *iint,
> >> +			 struct ns_status *status)
> >> +{
> >> +	if (!status)
> >> +		return iint->flags;
> >> +
> >> +	return iint->flags & (status->flags & IMA_NS_STATUS_FLAGS);
> > 
> > Just to confirm, is there any situation where:
> > 
> >    iint->flags & IMA_NS_STATUS_FLAGS != status->flags & IMA_NS_STATUS_FLAGS
> > 
> > ? i.e. can this line just be:
> > 
> >    return status->flags & IMA_NS_STATUS_FLAGS;
> > 
> 
> As Guilherme had pointed out, the first & should be |.

Sorry, that mail got filtered somehow, thanks. Per your discussion, I
guess the most defensive way is:

iint->flags & ~IMA_NS_STATUS_FLAGS | status->flags & IMA_NS_STATUS_FLAGS

in case something comes along and sets IMA_AUDITED on the root iint,
we don't want it to propagate to this ns' status unnecessarily.

Anyway, thanks!

Tycho